Security and Compliance Rest Assured With Top-Tier Data Security

Trulioo is dedicated to ensuring the highest level of privacy and data security, and it has the credentials to prove it.

Trulioo is committed to data security, risk management and technical support. The Trulioo Information Security and Technical Compliance team delivers layers of preventive measures, including awareness training, to protect Trulioo technology and the data that fuels a global platform of verification services. The team establishes and validates controls and procedures to manage risk while providing the infrastructure to ensure the organization’s continued operations.

Top-Level Credentials Ensure Data Security and Privacy

ISO 27001 Certification

The security framework, created by the International Organization for Standardization (ISO), assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications. Trulioo has been ISO 27001-certified since 2015.

SOC 2 Type 2 Qualification

The Service Organization Control (SOC) Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data. Truilioo obtained SOC 2 Type 2 in February 2024.

Key Components of the Trulioo Information Security Program

Regulatory Compliance
Trulioo policies and procedures define responsibilities and establish best business practices to ensure the confidentiality, integrity and availability of information and technology resources.
Regulatory Compliance
All users of Trulioo information and technology resources must complete annual information security and privacy training. Employees also regularly undergo phishing awareness training.
Regulatory Compliance
Trulioo applies multiple layers of controls to manage access to information systems. Those include multifactor authentication, single sign-on and password management tools that prevent unauthorized access. When working remotely, employees access Trulioo systems through a virtual private network. Trulioo grants access to its systems based on the principle of least privilege and regularly conducts user access reviews.
Regulatory Compliance
Trulioo operates in a hosted environment and has designed its infrastructure for redundancy and automatic failover across multiple regions to ensure uptime. Network segmentation, logging and monitoring, web-application firewalls, and load balancing provide security and availability management. A third party annually conducts penetration tests of Trulioo networks and applications.
Regulatory Compliance
Trulioo aligns with the EU’s General Data Protection Regulation for data classification, labeling, handling and security. Trulioo encrypts all data at rest and in transit based on industry standards. The AWS Key Management System manages Trulioo keys. Employee training also strengthens protections for Trulioo data and the information provided by customers and partners.
Regulatory Compliance
Trulioo has a comprehensive program to manage the risk associated with third-party relationships. The program includes due diligence at onboarding, risk management, incident outreach and awareness, annual supplier and partner reassessments, and ongoing reporting and management oversight. Trulioo and third parties agree to contractual obligations for information security.
Regulatory Compliance
Trulioo undergoes frequent audits. That includes an annual internal audit covering ISO 27001 requirements by an independent third party, an assessment of ISO 27001 ISMS by a qualified registrar and a SOC 2 Type 2 audit by an accredited external firm.
Regulatory Compliance
Trulioo leadership has established roles and responsibilities for managing and securing data and technology resources. The executive management and senior leadership teams participate in quarterly Security Committee meetings to ensure awareness, provide feedback and guidance, and maintain ongoing information security management and oversight.

Frequently Asked Questions

Learn more about Trulioo data security and privacy.

Staff members learn the security policy at onboarding, during annual training and in monthly phishing awareness exercises.

Trulioo logically segregates all client data and does not allow client data outside of production.

Trulioo monitoring tools provide alerts for anomalous access and failed access attempts, which are then manually reviewed as required.

Trulioo has a suite of policies governing information security as required by ISO 27001 and supplemented by business operations. Executive leadership signs off on all policy updates and communicates that to all staff members.

Trulioo requires complex passwords that include at least one special character, one numeral and one upper-case letter. Passwords must be changed at regular intervals.

Service Organization Control Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data.

The security framework, created by the International Organization for Standardization, assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications.

Trulioo manages access based on the principle of least privilege and on a need-to-know basis.